On Tue, 2004-03-23 at 21:45, Ryan.Oliver at pha.com.au wrote:
>>>> > and I've been avoiding
> > binding rules to IP address until I can think completely through what
> > happens when a DHCP-managed host has it's IP change. At the moment I
> > think I'm going with "most daemons break when this happens anyway, so
> > it's moot" but I'm hoping inspiration will strike.
>> Shouldn't be any need to use an IP in the filtering, filter based on
> interfaces and ports only... Only time IP becomes important is when doing
> NAT...
Yes, but it's not going to be very useful if I've put in firewall hooks
that will only work properly for bastion firewalling and break the
functionality of the machine as a gateway filter. Anyway, I decided
last night I was on something of the right track with the permit_* and
revoke_* directives... I'm going to hack some more coherency into those
routines to allow for more granular rules to be set.
> Usually most daemons listen on *:port unless bound to an IP address
> in their conf (they just listen on a port) so just continue to function
> (existing sessions of course die).
Usually _old_ daemons bind to INADDR_ANY like that. Newer daemons
almost always have options to bind to a particular interface (thanks to
the more common use of multi-homed machines now). Afaik, already bound
services aren't guaranteed to notice anything has happened to the
interface until they try to write to it, _if_ they ever try.
> For ones that dont it would probably would be a trivial script to
> write to detect change in dhcp lease and restart affected network services.
It's actually _not_ that trivial to handle restarting affected network
service daemons, which is why I kinda wish we had a dependency hold loop
for services that require network functionality to be of use (like
apache) like I've heard it rumored that Gentoo does.
Thankfully it _is_ trivial to write a hook that would get us to that
point, using ISC's dhclient. Looking at the man pages gets you a lot
more detail, but basically, every time dhclient is invoked, it sets a
number of environment variables and then calls /sbin/dhclient script,
which in turn calls /etc/dhclient-enter-hooks at the outset, and
/etc/dhclient-exit-hooks at the end of what it does. This is where you
can stick things like scripts to update your RR entries with dynamic DNS
services like no-ip.org. (This is why I am baffled that some people
still use dhcpcd and dhcpd. Ted Lemon has made ISC's dhcp package into
an incredibly robust reference implementation of the protocol.)
--
The email address above is phony because my penis is already large enough, kthx.
AIM: evilDagmar Jabber: evilDagmar at jabber.org